Sponsored Ads

The Web Security Mailing List

"Last week, Sun released a patch for a vulnerability I reported to them. The patch I’m talking about fixes the “GIFAR”
issue. I was unable to speak on the issue at Black Hat (for various
reasons), but Nate McFeters did a great job of presenting the concept
of GIFARs at Black Hat USA along with a simple example of how an
attacker could use a GIFAR in an attack. Now that the issue has been
patched, I’d like to cover some of the things related to “GIFARs” that
I thought were interesting (including a few items that were not
mentioned at Black Hat).

Before we begin, I’d like to thanks Chok Poh from Sun’s Security
team. Chok was vital in fixing the GIFAR issue. This patch required
some significant thought as to how to best handle this issue. Chok was
very responsive and was smart enough to understand the impact of the
unusual issue. I’d also like to thank the Google Security team.
Google was our “guinea pig” for testing some of the pieces related to
GIFARs and despite having to redesign some of their application
behavior, they were gracious and very worked diligently to protect
their users. "